1 | /* |
---|
2 | |
---|
3 | osfc2.c |
---|
4 | |
---|
5 | Author: Christophe Wolfhugel |
---|
6 | |
---|
7 | Copyright (c) 1995 Christophe Wolfhugel |
---|
8 | |
---|
9 | Free use of this file is permitted for any purpose as long as |
---|
10 | this copyright is preserved in the header. |
---|
11 | |
---|
12 | This program implements the use of the OSF/1 C2 security extensions |
---|
13 | within ssh. See the file COPYING for full licensing informations. |
---|
14 | |
---|
15 | */ |
---|
16 | |
---|
17 | /* |
---|
18 | * $Id: osfc2.c,v 1.1.1.4 1999-03-08 17:43:22 danw Exp $ |
---|
19 | * $Log: not supported by cvs2svn $ |
---|
20 | * Revision 1.11 1998/05/23 20:31:56 kivinen |
---|
21 | * Added osf1c2_check_account_and_terminal function. |
---|
22 | * |
---|
23 | * Revision 1.10 1998/05/11 21:26:49 kivinen |
---|
24 | * Moved prpasswd stuff to be inside if (pr). |
---|
25 | * |
---|
26 | * Revision 1.9 1998/05/11 18:53:16 kivinen |
---|
27 | * Fixed osf1 resource code, by moving resoure limit |
---|
28 | * initialization to initialize_osf_security function. |
---|
29 | * osf1c2_getprpwent function is only called if password |
---|
30 | * authentication is used, and because of this all limits |
---|
31 | * contained zero. This caused sshd client immediately exit |
---|
32 | * because of cpu resource limit exceeded. |
---|
33 | * |
---|
34 | * Revision 1.8 1998/04/30 01:53:57 kivinen |
---|
35 | * Fixed osflim handling so that now it allows setting resource |
---|
36 | * to 0. |
---|
37 | * |
---|
38 | * Revision 1.7 1998/03/30 21:39:40 kivinen |
---|
39 | * Added system default lock check. |
---|
40 | * |
---|
41 | * Revision 1.6 1998/03/27 16:58:42 kivinen |
---|
42 | * Fixed password expire code. |
---|
43 | * |
---|
44 | * Revision 1.5 1998/01/14 16:39:10 kivinen |
---|
45 | * Added check that getespwnam function exists. |
---|
46 | * |
---|
47 | * Revision 1.4 1998/01/02 06:19:31 kivinen |
---|
48 | * Added account locking and expiration support. Added resource |
---|
49 | * limit setting. |
---|
50 | * |
---|
51 | * Revision 1.3 1997/01/08 13:22:36 ttsalo |
---|
52 | * A fix for OSF/1 passwords from |
---|
53 | * Steve VanDevender <stevev@hexadecimal.uoregon.edu> merged. |
---|
54 | * |
---|
55 | * Revision 1.2 1996/10/29 22:43:02 kivinen |
---|
56 | * log -> log_msg. |
---|
57 | * |
---|
58 | * Revision 1.1.1.1 1996/02/18 21:38:11 ylo |
---|
59 | * Imported ssh-1.2.13. |
---|
60 | * |
---|
61 | * Revision 1.3 1995/09/10 23:27:28 ylo |
---|
62 | * Eliminated duplicate #includes. |
---|
63 | * |
---|
64 | * Revision 1.2 1995/09/10 23:03:56 ylo |
---|
65 | * Added copyright. |
---|
66 | * |
---|
67 | * Revision 1.1 1995/09/10 22:41:01 ylo |
---|
68 | * Support functions for OSF/1 C2 extended security |
---|
69 | * authentication. |
---|
70 | * |
---|
71 | */ |
---|
72 | |
---|
73 | #include "includes.h" |
---|
74 | #include "ssh.h" |
---|
75 | #include <sys/security.h> |
---|
76 | #include <prot.h> |
---|
77 | #include <sia.h> |
---|
78 | |
---|
79 | static int c2security = -1; |
---|
80 | static int crypt_algo; |
---|
81 | long osflim[8]; |
---|
82 | |
---|
83 | void |
---|
84 | initialize_osf_security(int ac, char **av) |
---|
85 | { |
---|
86 | FILE *f; |
---|
87 | char buf[256]; |
---|
88 | char siad[] = "siad_ses_init="; |
---|
89 | int i; |
---|
90 | |
---|
91 | for (i = 0; i < 8; i++) |
---|
92 | osflim[i] = -1; |
---|
93 | |
---|
94 | if (access(SIAIGOODFILE, F_OK) == -1) |
---|
95 | { |
---|
96 | /* Broken OSF/1 system, better don't run on it. */ |
---|
97 | fprintf(stderr, "%s does not exist. Your OSF/1 system is probably broken.\n", |
---|
98 | SIAIGOODFILE); |
---|
99 | exit(1); |
---|
100 | } |
---|
101 | if ((f = fopen(MATRIX_CONF, "r")) == NULL) |
---|
102 | { |
---|
103 | /* Another way OSF/1 is probably broken. */ |
---|
104 | fprintf(stderr, "%s unreadable. Your OSF/1 system is probably broken.\n", |
---|
105 | MATRIX_CONF); |
---|
106 | exit(1); |
---|
107 | } |
---|
108 | |
---|
109 | /* Read matrix.conf to check if we run C2 or not */ |
---|
110 | while (fgets(buf, sizeof(buf), f) != NULL) |
---|
111 | { |
---|
112 | if (strncmp(buf, siad, sizeof(siad) - 1) == 0) |
---|
113 | { |
---|
114 | if (strstr(buf, "OSFC2") != NULL) |
---|
115 | c2security = 1; |
---|
116 | else if (strstr(buf, "BSD") != NULL) |
---|
117 | c2security = 0; |
---|
118 | break; |
---|
119 | } |
---|
120 | } |
---|
121 | fclose(f); |
---|
122 | if (c2security == -1) |
---|
123 | { |
---|
124 | fprintf(stderr, "C2 security initialization failed : could not determine security level.\n"); |
---|
125 | exit(1); |
---|
126 | } |
---|
127 | log_msg("OSF/1: security level : %s", c2security == 0 ? "BSD" : "C2"); |
---|
128 | if (c2security == 1) |
---|
129 | set_auth_parameters(ac, av); |
---|
130 | } |
---|
131 | |
---|
132 | const char *osf1c2_check_account_and_terminal(const char *username, |
---|
133 | const char *terminal) |
---|
134 | { |
---|
135 | if (c2security == 1) |
---|
136 | { |
---|
137 | struct pr_passwd *pr = getprpwnam((char *) username); |
---|
138 | if (pr) |
---|
139 | { |
---|
140 | if (pr->uflg.fg_lock == 1) |
---|
141 | { |
---|
142 | if (pr->ufld.fd_lock == 1) |
---|
143 | { |
---|
144 | return "\n\tYour account is locked.\n\n"; |
---|
145 | } |
---|
146 | } |
---|
147 | else |
---|
148 | if (pr->sflg.fg_lock == 1 && pr->sfld.fd_lock == 1) |
---|
149 | { |
---|
150 | return "\n\tYour account is locked.\n\n"; |
---|
151 | } |
---|
152 | |
---|
153 | if (pr->uflg.fg_retired) |
---|
154 | { |
---|
155 | if (pr->ufld.fd_retired) |
---|
156 | { |
---|
157 | return "\n\tYour account has been retired.\n\n"; |
---|
158 | } |
---|
159 | } |
---|
160 | else |
---|
161 | if (pr->sflg.fg_retired && pr->sfld.fd_retired) |
---|
162 | { |
---|
163 | return "\n\tYour account has been retired.\n\n"; |
---|
164 | } |
---|
165 | |
---|
166 | #ifdef HAVE_TIME_LOCK |
---|
167 | if (time_lock(pr)) |
---|
168 | { |
---|
169 | return "\n\tWrong time period to log into this account.\n\n"; |
---|
170 | } |
---|
171 | #endif /* HAVE_TIME_LOCK */ |
---|
172 | if (pr->uflg.fg_template) |
---|
173 | { |
---|
174 | #ifdef HAVE_GETESPWNAM |
---|
175 | struct es_passwd *es = getespwnam(pr->ufld.fd_template); |
---|
176 | if (es) |
---|
177 | { |
---|
178 | #ifdef HAVE_GETESTCNAM |
---|
179 | if (terminal != NULL) |
---|
180 | { |
---|
181 | struct es_term *term = getestcnam(terminal); |
---|
182 | if (term) |
---|
183 | { |
---|
184 | if (auth_for_terminal_es(es, term)) |
---|
185 | { |
---|
186 | return "\n\tNot authorized to login from that terminal.\n\n"; |
---|
187 | } |
---|
188 | } |
---|
189 | } |
---|
190 | #endif /* HAVE_GETESTCNAM */ |
---|
191 | #ifdef HAVE_LOCKED_OUT_ES |
---|
192 | if (locked_out_es(es)) |
---|
193 | { |
---|
194 | return "\n\tYour account has been locked out.\n\n"; |
---|
195 | } |
---|
196 | #endif /* HAVE_LOCKED_OUT_ES */ |
---|
197 | |
---|
198 | /** Login resources **/ |
---|
199 | if (es->uflg->fg_rlim_cpu == 1) |
---|
200 | osflim[0] = es->ufld->fd_rlim_cpu; |
---|
201 | if (es->uflg->fg_rlim_fsize == 1) |
---|
202 | osflim[1] = es->ufld->fd_rlim_fsize; |
---|
203 | if (es->uflg->fg_rlim_data == 1) |
---|
204 | osflim[2] = es->ufld->fd_rlim_data; |
---|
205 | if (es->uflg->fg_rlim_stack== 1) |
---|
206 | osflim[3] = es->ufld->fd_rlim_stack; |
---|
207 | if (es->uflg->fg_rlim_core == 1) |
---|
208 | osflim[4] = es->ufld->fd_rlim_core; |
---|
209 | if (es->uflg->fg_rlim_rss == 1) |
---|
210 | osflim[5] = es->ufld->fd_rlim_rss; |
---|
211 | if (es->uflg->fg_rlim_nofile == 1) |
---|
212 | osflim[6] = es->ufld->fd_rlim_nofile; |
---|
213 | if (es->uflg->fg_rlim_vmem == 1) |
---|
214 | osflim[7] = es->ufld->fd_rlim_vmem; |
---|
215 | } |
---|
216 | #endif /* HAVE_GETESPWNAM */ |
---|
217 | } |
---|
218 | } |
---|
219 | } |
---|
220 | return NULL; |
---|
221 | } |
---|
222 | |
---|
223 | int |
---|
224 | osf1c2_getprpwent(char *p, char *n, int len) |
---|
225 | { |
---|
226 | time_t pschg, tnow; |
---|
227 | |
---|
228 | if (c2security == 1) |
---|
229 | { |
---|
230 | struct es_passwd *es; |
---|
231 | struct pr_passwd *pr = getprpwnam(n); |
---|
232 | if (pr) |
---|
233 | { |
---|
234 | extern int days_before_password_expires; |
---|
235 | |
---|
236 | strncpy(p, pr->ufld.fd_encrypt, len); |
---|
237 | crypt_algo = pr->ufld.fd_oldcrypt; |
---|
238 | |
---|
239 | tnow = time(NULL); |
---|
240 | if (pr->uflg.fg_schange == 1) |
---|
241 | pschg = pr->ufld.fd_schange; |
---|
242 | else |
---|
243 | pschg = 0; |
---|
244 | if (pr->uflg.fg_template == 0) |
---|
245 | { |
---|
246 | /** default template, system values **/ |
---|
247 | if (pr->sflg.fg_lifetime == 1) |
---|
248 | if (pr->sfld.fd_lifetime > 0 && |
---|
249 | pschg + pr->sfld.fd_lifetime < tnow) |
---|
250 | return 1; |
---|
251 | if (pr->sflg.fg_lifetime && pr->sfld.fd_lifetime > 0) |
---|
252 | days_before_password_expires = |
---|
253 | (pschg + pr->sfld.fd_lifetime - tnow) / 86400; |
---|
254 | } |
---|
255 | else /** user template, specific values **/ |
---|
256 | { |
---|
257 | #ifdef HAVE_GETESPWNAM |
---|
258 | es = getespwnam(pr->ufld.fd_template); |
---|
259 | if (es) |
---|
260 | { |
---|
261 | if (es->uflg->fg_expire == 1) |
---|
262 | if (es->ufld->fd_expire > 0 && |
---|
263 | pschg + es->ufld->fd_expire < tnow) |
---|
264 | return 1; |
---|
265 | if (es->uflg->fg_expire == 1 && |
---|
266 | es->ufld->fd_expire > 0) |
---|
267 | days_before_password_expires = |
---|
268 | (pschg + es->ufld->fd_expire - tnow) / 86400; |
---|
269 | |
---|
270 | } |
---|
271 | #endif /* HAVE_GETESPWNAM */ |
---|
272 | } |
---|
273 | } |
---|
274 | } |
---|
275 | else |
---|
276 | { |
---|
277 | struct passwd *pw = getpwnam(n); |
---|
278 | if (pw) |
---|
279 | strncpy(p, pw->pw_passwd, len); |
---|
280 | } |
---|
281 | return 0; |
---|
282 | } |
---|
283 | |
---|
284 | char * |
---|
285 | osf1c2crypt(const char *pw, char *salt) |
---|
286 | { |
---|
287 | if (c2security == 1) { |
---|
288 | return(dispcrypt(pw, salt, crypt_algo)); |
---|
289 | } else |
---|
290 | return(crypt(pw, salt)); |
---|
291 | } |
---|